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Rootkit 


The name, root kit, suggests a component that 
allows obtaining root access in a computer 
system, its only purpose is to help an attacker 
into keeping a previously obtained root access. 
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DEFINITIONS 


* A collection of tools (programs) that a 
hacker uses to mask intrusion and 
obtain administrator-level access to a 
computer or computer network. ” 
Courtesy: SANS 
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DEFINITIONS 


* A hacker security tool that captures 
passwords and message traffic to and from a 
computer. A collection of tools that allows a 
hacker to provide a backdoor into a system, 
collect information on other systems on the 
network, mask the fact that the system is 
compromised, and much more. Rootkit is a 
classic example of Trojan Horse software. 
Rootkit is available for a wide range of 
operating systems. Courtesy: NSA 
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What does a Root Kit do? 


Hide Attacker Activities: Files, Processes 
and network connections 


Provide Unauthorized access 
Eavesdropping tools 

Clean Logs 

Hacking Tools 

Integrity Checkers deceivers 
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CLASSIFICATION 


e Linux Root Kit 
—User Mode 
—Kernel Mode 

e Windows Root Kit 
—Kernel Mode 
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USER MODE ROOTKIT 


* Replace specific system program used to extract 
information from the system 


e Can include additional tools like sniffers and 
password crackers 


Files usually substituted: 
e File Hiding: du, find, sync, Is, df, Isof, netstat 
* Hide PROCESSES: killall, pidof, ps, top, Isof 


е SNIFFING 8 data acquisitions: ifconfig (hide the 
PROMISC flag), passwd 
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USER MODE ROOTKIT contd 


Files usually substituted: 

• Hide CONNECTIONS: netstat, tcpd, Isof, route, 
arp 

Execute tasks: crontab, reboot, halt, shutdown 

e Hide LOGS: syslogd, tcpd 

Hide LOGINS: w, who, last. . . (no recording in 

utmp, wtmp, btmp, lastlog. . . ) 


+ BACKDOORS: inetd, login, rlogin, rshd, telnetd, 
sshd, su, chfn, passwd, chsh, sudo 
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USER MODE ROOTKIT contd 


Tools to Hide evidence 


e addlen: tool to fit the trojaned file size to the 
original one. 

e fix: changes the creation date and checksum 
(non-cryptographic) of any program. 

e 1. has edit capabilities of wtmp and utmp log 
iles. 


* zap: zeroes out log files (utmp, wtmp, lastlog 
(Solaris), messages. . . ) entries. 


e Zap2 (22): erases log files entries: utmp, wtmp, 
lastlog. . . 
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USER MODE ROOTKIT contg 


Disadvantages 


— Too many binaries to replace thus prone to 
mistakes 


— Verifications through checksums Is easy and 
OS dependent. 
Some Famous Root Kits 
— TOrnkit: 
— LRK, The Linux Rootkit: 


» There are many others coming up every day. 
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KERNEL MODE ROOT KIT 


* User mode root kit requires various binaries to 
be manipulated, Kernel mode requires only 
altering the kernel 


e The kernel rootkits provide all the user-mode 
rootkit features from a low level, and their hiding 
and deceive capabilities can trick all user-mode 
inspection tools. 


* The goal of a kernel rootkit is placing the 
malicious code inside the kernel source by 
manipulating the kernel. 


© CERT-IN 29'^ March 2005 





System library getdents() 


User mode System call 
Kernel mode interface 


Kernel functions 
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Kernel mode | 





choose 
interrupt handler 
| Interrupt 
Descriptor 
Table 
= 
system call КІ НЕР u 
| | Syscall 
Table 


sys getdents() 


access virtual filesystem 


access actual filesystem 
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interrupt handler 

— E i Interrupt 
Descriptor 
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system call 
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| Table 
(modified copy) 
Rootkit 


sys _getdents() 


access virtual filesystem 


access actual filesystem 
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Syscall 
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access virtual filesystem 


access actual filesystem 
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Kernel mode | 


interrupt handler 


Descripto 


Ж? Table 
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system call 
Syscall 
Table 


SYS _getdents() 


Rootkit 
access virtual filesystem 


access actual filesystem 
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ROOTKIT DETECTION 


е Anomaly Search 
— Files 
— Network Usage 


— Scheduled and Booting Tasks 
— Accounts 


— Log and User Histroy entries 
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* /proc psuedo file system 
— /proc/cmdline 
— /proc/kcore 
— /proc/kmsg 
— /proc/ksyms 
— /proc/modules 
— /proc/version/proc/sys 
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ROOTKIT DETECTION 


e Suspicious files, directories and disk 
usage 
— System files in /tmp, /dev, font directories 
— Hard link count and directory size 
— Hard Link Count Analysis 
— Total Block Count Analysis 

e MAC Times 


— Time Stamp Analysis 
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ROOTKIT DETECTION 


Logging system call traces: strace 


Detecting ( and recovering) deleted 
executables and open files 


Network Connections 
Detecting Promiscuous NIC 
Integrity 

Checking Rootkit features 
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ROOTKIT DETECTION 


* Tools 
— Saint Jude 
— Chrootkit 
— Rootkithunter 
— RkScan 
— The “Carbonite” LKM 
— Kstat 
— Exporting standard and debugging module symbols 
— Kernel memory scanning: 
— System Call table help:LKM or memory dump 
— Execution path analysis 
— CheckIDT 
— The kern_check tool 
— The check_ps tool 
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PROTECTING LINUX KERNEL 


OS Hardening 

Patching the kernel vulnerabilities 

Linux Bootstrap process analysis 

Kernel compilation without module support 
Kernel Hardening 

Restricted operations and capabilities 
“System.map” Protection 

system call table export 
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PROTECTING LINUX KERNEL 


* LKM Protection 
- modlock (LKM Locking) 
— syscall _ sentry LKM 
— Toby LKM 
— St. Michael: 
—LIDS 
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